What are the HIPAA e-signature requirements?

Digital signatures have proved, in the healthcare industry, to increase the efficiency of many processes, yet the question still remains whether the rules for these comply with HIPAA e-signature requirements?

The answer to this question is “yes”, if certain mechanisms are implemented to ensure the legality and security of the contract, document, agreement or authorization, and there is no danger to the integrity of PHI.

Are E-Signatures Mentioned in HIPAA?

Proposals for the using of e-signatures under HIPAA rules were formulated in the initial draft of the 2003 Security Rule, but then taken out before the legislation was passed. Later guidance relating to Business Associate Agreements and the exchange of electronic health information has been posted on the U.S: Department of Health and Human Resources website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

Normally, a signature is not needed for many healthcare transactions that share PHI for treatment or payment – making the question of can e-signatures be used under HIPAA rules irrelevant. However, when a signed authorization is needed for a disclosure of PHI not allowed by the HIPAA Privacy Rule – for instance for marketing or research purposes – specific conditions must be present.

The Conditions Required for E-Signatures under HIPAA Rules

The conditions required for e-signatures under HIPAA rules also have to comply with the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). The conditions are:

Legal Compliance. Not only should the contract, document, agreement, or authorization adhere with the federal rules for e-signatures, they should also clearly show the terms, clearly show the intent of the signatory, and the option should be available for the signatory to receive a printed or emailed copy of the contract. Covered bodies are also advised to seek legal advice about any state or local legislation that might also determine can e-signatures be used under HIPAA rules.

User Authentication. Covered bodies must put in place a system to validate the identity of all participating parties in order to prevent disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, completing “secret knowledge” questions, adapting specialized e-signature software and phone/voice authorization can resolve this problem.

Message Integrity. A system to stop digitally tampering with the agreement after it has been completed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the security measure of the HIPAA Security Rule and should be dealt with using the same level of importance. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity will be required in all areas when conducting the next phase of HIPAA audits.

Non-Repudiation. In order to ensure that the signatory will not be able to deny having completed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail showing dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the sharing of PHI cannot later be argued. Providing the signatory with a printed or emailed copy of the document is one step to preventing repudiation.

Ownership and Control. The last requirement for e-signatures to be used under HIPAA rules relates to copies of signed documents stored on the servers of e-signature service providers. In order for a covered body to ensure the integrity of PHI, all of the proof supporting the e-signature should be on the same document under the ownership and management of the covered body. All other copies of this – except those given for the signatory – should be digitally destroyed.

Establish Can E-Signatures be used under HIPAA Rules by Conducting a Risk Assessment

The implementation of e-signature technology has its benefits, but it also has the potential to increase medical mistakes and opportunities for fraud. The level of danger will be different according to the nature of the transaction, and it is important for covered bodies to conduct a risk assessment before deciding can e-signatures be implemented under HIPAA rules in their particular environment.

It is vital that the conditions necessary for HIPAA e-signature requirements to be met and adapted before a covered body uses e-signatures for any important communications in which a patient’s individually identifiable protected health information is transmitted.